June 1, 2022

By: Christopher A. Iacono

Takeaway: While the current patchwork of state consumer privacy laws is complex, there are consumer rights and business obligations that are common to all of the laws. An awareness of these key concepts will help make it easier for compliance.

Without a comprehensive federal privacy law, consumer privacy has been left to states.  To date, California, Virginia, Colorado, Utah, and Connecticut have enacted comprehensive consumer privacy laws.  Many other states have similar privacy legislation pending.  This is one of the most active areas in the privacy space and as a result can be overwhelming to businesses trying to comply.  Luckily, each of the current states’ laws and proposed legislation pending around the country (including the proposed federal legislation) contain all or at least some of the same consumer rights and business obligations.  These rights and obligations are:

Consumer Rights

• Right of Access – The right for a consumer to access from a business/data controller the information or categories of information collected about a consumer, the information or categories of information shared with third parties, or the specific third parties or categories of third parties to which the information was shared; or, some combination of similar information.
• Right of Rectification – The right for a consumer to request that incorrect or outdated personal information be corrected but not deleted.
• Right of Deletion – The right for a consumer to request deletion of personal information about the consumer under certain conditions.
• Right of Restriction – The right for a consumer to restrict a business’s ability to process personal information about the consumer.
• Right of Portability – The right for a consumer to request personal information about the consumer be disclosed in a common file format.
• Right of Opt-Out – The right for a consumer to opt out of the sale of personal information about the consumer to third parties.
• Right Against Automated Decision Making – A prohibition against a business making decisions about a consumer based solely on an automated process without human input.
• Private Right of Action – The right for a consumer to seek civil damages from a business for violations of a statute.

Business Obligations

• Opt-in requirement age – A restriction placed on a business to treat consumers under a certain age with an opt-in default for the sale of their personal information.
• Notice/Transparency requirement – An obligation placed on a business to provide notice to consumers about certain data practices, privacy operations, and/or privacy programs.
• Risk Assessments – An obligation placed on a business to conduct formal risk assessments of privacy and/or security projects or procedures.
• Prohibition of Discrimination – A prohibition against a business treating a consumer who exercises a consumer right differently than a consumer who does not exercise a right.
• Purpose/Processing Limitation – A prohibition on the collection/processing of personal information except for a specific purpose.

As more states will enact consumer privacy legislation in the coming months and years, awareness of the fundamental consumer rights and business obligations will be the key to understanding the law and ensuring compliance.